Reacting to data breach litigation

June 2015 | FEATURE | LITIGATION & DISPUTE RESOLUTION

Financier Worldwide Magazine

June 2015 Issue

Companies are harvesting ever more data – from information about their own products to their increasingly global customer base, they are being forced to find new ways of storing this vast swathe of data. The current movement is toward storage in the cloud, although traditional data storage is unlikely to disappear completely anytime soon.

However, in today’s technologically advanced environment, the security of this data is constantly being called into question. With high profile data security breaches occurring on a regular basis, the suitability of companies’ data security provisions is coming under intense scrutiny. Unfortunately, for many firms, their data security policies are often found wanting. Historically, data security has been too low on the totem pole. According to Experian, many companies in the UK, for example, are surprisingly underprepared for the possibility of a data breach. In a survey of over 400 UK based executives, 34 percent of firms were found to have no data breach response plan of any sort. Of those firms with a response plan, 23 percent lacked a specialist crisis communications plan. Furthermore, 27 percent of those firms with a plan had no legal support in place. In the modern business climate these are startling, and worrying, oversights. Clearly, more must be done to prepare companies to respond in the event of a data breach.

These statistics seem all the more disturbing when viewed in the context of the last 18 months or so. For many commentators, 2014 was the year of the data breach. What was perhaps most striking about last year’s attacks was the size and reputation of the firms involved. Seemingly, no companies are immune to the threats of cyber crime or cyber terrorism. A number of global firms saw their data security compromised in 2014. Giants in their respective industries, including eBay, JP Morgan Chase, Google, Home Depot and Target, have all been victims of damaging breaches over the last two years.

Furthermore, in the latter part of 2014, entertainment giant Sony suffered data security breaches on multiple levels. Not only did the company’s computing division, Sony Computer Entertainment America, suffer a significant breach, the wider Sony Pictures Entertainment group was also targeted. The hack of Sony Pictures in November 2014 saw a huge amount of information was made public, including unreleased movies, embarrassing internal emails and the personal data of thousands of celebrities and employees. While Sony was burnt by controversial emails between executives, it was the release of social security numbers, dates of birth and medical conditions of staff members that had a lasting effect on the company and left the firm facing significant legal ramifications.

Costs – financial and otherwise

Some data suggests that the actual financial cost of these data breaches is comparatively small. According to a study released by Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs, the dollar cost of data breaches is relatively low. Following analysis of the Target, Home Depot and Sony attacks, the data suggests that the actual expenses reported by these companies as a result of their respective breaches amounted to less than 1 percent of each company’s annual revenues. Given the size of these firms, these figures are reasonably manageable. The Sony breach is believed to have cost the firm around $15m. The company notes that its $15m bill was related to “investigation and remediation costs”, however the costs of these breaches cannot always be measured in dollars and cents – reputational damage can be significantly more costly for firms in the long term.

Data breach litigation has been rising in recent years, and this is set to continue.

In Target’s case, for example, the credit and debit card information of around 40 million of its customers was stolen, along with the personal information, such as email and postal addresses, of anywhere between 70 million and 110 million people. As a result of this breathtaking breach, Target has faced significant financial and legal repercussions. The firm estimated in August 2014 that the cost of the breach was around $148m, however it has also endured significant reputational damage. Not only did the company’s share price collapse during 2014, there was also a backlash from customers. During the crucial Christmas shopping period, a large number of Target’s customers simply went elsewhere. In many respects, Target is still fighting to repair the reputation damage it incurred in 2013, and for many customers that trust may never return.

Litigation

Data breach litigation has been rising in recent years, and this is set to continue. “Whereas in most cases the financial implications of data breach litigation are manageable, the reputational damage resulting from a breach is very hard to quantify. It also typically takes a long time for a company’s reputation to recover,” says Wim Nauwelaerts, a partner at Hunton & Williams.

In March 2015, Target agreed to a $10m settlement of a lawsuit brought against it by a number of customers. The settlement has been ratified by a federal judge, though customers will have until November to register any disagreement. The terms of the settlement award shoppers affected by the breach up to $10,000 each in damages. In order to qualify for the award, individuals must be able to prove that unauthorised charges were made to their credit cards. Claimants must also be able to demonstrate that they dedicated time to investigate and address the fraudulent charges and incurred costs from correcting their credit report because of higher interest rates or fees, from replacing driver’s licences or other forms of identification, or from hiring identity protection companies or lawyers. Unfortunately for firms which fall victim to a data breach, the Target lawsuit does not appear to be an isolated incident.

Data breach lawsuits are often difficult cases to prove. In April, for example, the class action against Horizon Blue Cross Blue Shield of New Jersey was dismissed, with the judge citing that an injury sufficient to confer standing was not proven. According to New Jersey US District Judge Claire Cecchi, the plaintiffs were unable to prove that because a violation of statutory rights took place, hypothetical future injuries could potentially take place.

Sony has also been subject to litigation following its breach. Two former employees have filed separate lawsuits against Sony, accusing the firm of failing to protect the personal information of thousands of employees worldwide. Spurred on by the Target case and a further recent class action suit concerning a data breach at software firm Adobe, the former Sony employees may have a strong case. The Adobe case saw a California court uphold the claim, noting that the plaintiffs had a legitimate case because they suffered an impending threat of harm, not merely the potential for harm, since their data had been posted online, and therefore became freely available.

With instances of data breach on the up and related litigation more prevalent, what are companies’ available legal responses? The laws covering data breaches are evolving, along with case decisions. Some breached companies have successfully been able to get data breach cases thrown out by capitalising on the 2013 US Supreme Court decision in Clapper vs. Amnesty International. The Clapper ruling required plaintiffs to allege that a threatened injury is “certainly impending” in order to constitute an injury sufficient to convey Article III constitutional standing. The Supreme Court’s ruling in Clapper cast doubt on Article III standing in data breach cases where the only harm alleged is speculative.

The Clapper ruling has been a useful and important one for data breach defendants, and has certainly had an effect on a number of cases in the two years since the initial ruling. Around half a dozen or so claims in the US have been rejected by federal judges who have claimed that consumers lack the standing to sue a company merely because their personal data was compromised.

However, the Clapper ruling will clearly not bring about an end to all data breach litigation. Those cases where the plaintiffs are able to state a credible injury will still be permitted to proceed. Class actions, it would seem, will also be permitted, though these cases may simply be the exception rather than the rule. Furthermore, Clapper served only to address the question of standing in federal courts; as a result, it seems likely that data breach litigation may be able to proceed as normal in state court. For those companies defending against data breach going forward, it will be imperative that they seek out appellate opinions applying Clapper.

Preparation

For all companies operating in the modern business environment, data privacy has become a serious issue. As we have seen in recent years, one misstep or oversight can have drastic consequences, so it is imperative that companies get their approach to data privacy right.

For companies operating in the US, there is no universal approach to data breaches and data breach notification law. With all but three US states enacting their own form of notification legislation, compliance with these rules can be difficult to maintain. Though there has been some suggestion that Congress may set out a number of uniform responsibilities and liabilities for companies, this has yet to materialise. For companies concerned about the possibility of a data breach – and that should be all companies – taking a proactive and vigilant approach to data protection is paramount.

Firms should endeavour to develop vigorous and comprehensive privacy and information security protocols, as well as wide ranging education programs for their employees and third party partners. Negligence among employees can be hard to stamp out, but it is one of the most frequent causes of data leaks. Companies should also ensure that they have separate security response and communication plans in place, in the event that they fall victim to a breach. As Mr Nauwelaerts notes, “It is critical to ensure that firms implement preventive data security measures that reduce the risk of data breaches as much as possible. They should also put in place data breach response plans aimed at handling breaches swiftly and in compliance with legal requirements, such as breach notification duties.” As the old axiom suggests, failing to prepare is preparing to fail.